I am currently working on a simple survey system for educational purposes. I know it is subject to SQL Injection, but I am new to PHP/MySQL and wanted to learn something basic so I have something to build upon later.

Basically, I have an HTML form that processes the PHP on the same page:

And I would like to capture the form data and record it into my MySQL database. As of now, the text fields insert without any problems. However, the selected dropdown value does not insert. It doesn't insert anything (a blank record) where the dropdown items are (as well as my comments textbox).

I have error reporting turned off because I'm using a Joomla template that conflicts with one of my modules.

My database is setup with the following columns:

id - Primary - Auto Increment

date - Timestamp - CurrentTimestamp

first_name - Text

last_name - Text

phone - Text

resolved - Text

knowledge - Text

friendly - Text

quickness - Text

referral - Text

comments - Text

The id and date fields do what they are supposed to, and the text fields (first name, last name, and phone) all record with no problems. The problem seems to be with the dropdown lists, and the textarea box.

Am I missing something in my PHP in order to capture the values from the dropdown options and comments textarea? I tried removing the selected value of " " from the html but it still records empty records.

Any advice is greatly appreciated! I'm a pretty novice programmer (if I can call myself that for lack of better words), but am learning. Thank you for taking a look.

Storing posted values in variables is not neccessary by itself but it helps clarity of your code. Compare the following two statements: ... The second version is far more readable and easier to debug (please note that you should wrap array elements in curly braces to get them parsed within double quotes since they are composite variables). Far more important thing is to validate and sanitize the values you get from the user (through $_POST,…

Thank you everyone for the tips and suggestions. I'll +1 each one when I'm back at my computer. BTW, I'm still learning php and MySQL but what is the reason behind giving a var to each value? Is there a good resource online that explains this?

The second version is far more readable and easier to debug (please note that you should wrap array elements in curly braces to get them parsed within double quotes since they are composite variables).

Far more important thing is to validate and sanitize the values you get from the user (through $_POST, $_GET, $_COOKIE arrays). The fact is that you can not trust the user input (you will hear this countless times in web development world). The user can input erroneus data and unintentionally break your application. Or even worse the user can intentionally input malicious data in your web form and do damage to your database and you / your client. A simple example is when user enters specially crafted SQL code in your name field and if you do not check it first you will include that SQL code in your query and send it to your database. i.e the malicious code can expose all your users and passwords or allow login without a password. So it is a really good idea to check whether values are what they are supposed to be and sanitize them (by casting integers, escaping strings, using php filters etc.)

So it is a good habbit to use variables and store cleaned values into variables. As an example let's look at the first_name field. What you expect users to enter is a string containing letters, maybe up to two spaces (some names might have spaces in them like Anna Marie) and maybe a dash (Jean-Paul). Everything elese should not be allowed (I guess). So you can use functions like trim() to remove spaces from the beginning and end of the input (users usually do not see them in the input fields if they press spacebar unintentionally), substr_count() to count spaces and dashes,mysql_real_escape_string to escape dangerous characters if they find way into the query, preg_match() for checking using regular expressions etc. If you expect user to enter a number you can use is_numeric() function for checking or you can cast input values to expected type.

When the form is submitted you have to first check whether all values are present at all. If there is a value missing your query will break if you do not shoot an error message or provide a default value:

// check the existence of each field
if(isset($_POST[first_name]) && !empty($_POST[first_name])) {
$first_name = trim(mysql_real_escape_string($_POST[first_name]));
} else {
// prepare an erro message
error_msg[] = 'You must provide your first name!';
// or provide a default value
$first_name = 'Nameless';
}
// do this for every input field of the form
...

Does anyone know of a good link for learning about filtering MySQL queries? I don't expect anyone to explain it on here, but a link to a good resource would be very handy. Or if anyone knows of a good book that explains some of the basic elements of PHP and MySQL. I'm open to any suggestions.